Privacy Policy
Effective date: July 10, 2026
This policy describes how Kos Holdings LLC (DBA ExclusionWatch, "we") collects and uses information through exclusion-watch.com and the ExclusionWatch service.
1. Information we collect
Account information: your name, email address, organization name, and password (stored as a salted hash — we never store plaintext passwords).
Roster data you upload: names of your employees, contractors, and vendors, and optionally their middle names, dates of birth, NPI numbers, and role titles. This is personal data of third parties (your workforce); you are responsible for having a lawful basis to share it with us, and we process it only on your behalf to provide screening. We never collect or store Social Security numbers.
Screening results: match results, your review decisions and notes, and generated reports — retained so you have an audit trail.
Payment information: handled entirely by Stripe; we store only your Stripe customer/subscription identifiers and plan, never card numbers.
Technical data: standard server logs (IP address, browser type, pages requested) for security and operations.
2. How we use it
To provide the Service: running monthly screenings against the OIG LEIE, generating reports, emailing you results and account notices, and providing support. We do not sell personal data, we do not use roster data for advertising or model training, and we do not screen or use your roster for any purpose other than providing the Service to you.
3. Service providers
We use a small set of processors to operate the Service: Railway (application and database hosting), Stripe (payments), and Resend (transactional email). Each receives only what it needs to perform its function. Government exclusion data is retrieved from public HHS-OIG sources; your roster data is never sent to OIG or any government system.
4. Retention and deletion
We retain your account, roster, and screening history while your account is active, because the audit trail is a core feature. If you cancel, you may export your data; we may delete it beginning 30 days after account closure. You may request deletion of your account and associated data at any time by emailing [email protected].
5. Security
Data is encrypted in transit (TLS) and at rest by our hosting provider. Access to production systems is limited to account administration and operations. No system is perfectly secure; if we learn of a breach affecting your data we will notify you promptly consistent with applicable law, including the Oregon Consumer Information Protection Act.
6. Your rights
You may access, correct, export, or delete your data through the app or by contacting us. Individuals on a customer's roster should direct requests to their employer (our customer), which controls that data; we will assist our customers in honoring such requests.
7. Cookies
We use only essential cookies: a session cookie to keep you signed in. No advertising or cross-site tracking cookies.
8. Children
The Service is for business use and not directed to children under 16.
9. Changes
We will announce material changes to this policy by email or in-app notice before they take effect.
10. Contact
Kos Holdings LLC (DBA ExclusionWatch), Salem, Oregon · [email protected]